From f3249a701df76185103c978f3693684bb0c84b74 Mon Sep 17 00:00:00 2001
From: Steve Lhomme <slhomme@matroska.org>
Date: Wed, 1 Nov 2023 09:05:51 +0100
Subject: [PATCH] MemIOCallback: fix buffer overflow when writing too much data

If the addition of 2 positive values is smaller than one of the values then we
have an overflowing addition.

In this case we will not be able to allocate that much, just return a size
written as 0.

(cherry picked from commit 2d5c11cc64a771c02882455f867805340ad76815)
Signed-off-by: Steve Lhomme <slhomme@matroska.org>
---
 src/MemIOCallback.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/MemIOCallback.cpp b/src/MemIOCallback.cpp
index 3121723b..6f3a8a55 100644
--- a/src/MemIOCallback.cpp
+++ b/src/MemIOCallback.cpp
@@ -96,6 +96,8 @@ void MemIOCallback::setFilePointer(int64 Offset, seek_mode Mode)
 
 size_t MemIOCallback::write(const void *Buffer, size_t Size)
 {
+  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
+    return 0;
   if (dataBufferMemorySize < dataBufferPos + Size) {
     //We need more memory!
     dataBuffer = static_cast<binary *>(realloc(static_cast<void *>(dataBuffer), dataBufferPos + Size));
@@ -110,6 +112,8 @@ size_t MemIOCallback::write(const void *Buffer, size_t Size)
 
 uint32 MemIOCallback::write(IOCallback & IOToRead, size_t Size)
 {
+  if (dataBufferPos + Size < Size) // overflow, we can't hold that much
+    return 0;
   if (dataBufferMemorySize < dataBufferPos + Size) {
     //We need more memory!
     dataBuffer = static_cast<binary *>(realloc(static_cast<void *>(dataBuffer), dataBufferPos + Size));